lenovo-x1-gen11-hardening: build image with dm-verity

Signed-off-by: Humaid Alqasimi <humaid.alqassimi@tii.ae>

Author: humaidq-tii

docs/src/release_notes/ghaf-25.04.md

@@ -123,5 +123,3 @@ Fixed bugs that were present in the [ghaf-25.03](../release_notes/ghaf-25.03.md)
 Released images are available at [archive.vedenemo.dev/ghaf-25.04](https://archive.vedenemo-dev/ghaf-25.04).
 
 Download the required image and use the following instructions: [Build and Run](../ref_impl/build_and_run.md).
-
-

modules/common/systemd/base.nix

@@ -59,6 +59,7 @@ let
         inherit (cfg) withUkify;
         withUserDb = cfg.withHomed;
         withUtmp = cfg.withJournal || cfg.withAudit;
+        withSysupdate = true;
       }
       // lib.optionalAttrs (lib.strings.versionAtLeast pkgs.systemdMinimal.version "255.0") {
         withVmspawn = cfg.withMachines;
@@ -230,7 +231,7 @@ in
     withRepart = mkOption {
       description = "Enable systemd repart functionality.";
       type = types.bool;
-      default = false;
+      default = true;
     };
 
     withHomed = mkOption {
@@ -290,13 +291,13 @@ in
     withCryptsetup = mkOption {
       description = "Enable systemd LUKS2 functionality.";
       type = types.bool;
-      default = false;
+      default = true;
     };
 
     withFido2 = mkOption {
       description = "Enable systemd Fido2 token functionality.";
       type = types.bool;
-      default = false;
+      default = true;
     };
 
     withTpm2Tss = mkOption {

modules/hardware/common/input.nix

@@ -8,10 +8,6 @@ let
 in
 {
   config = {
-    # Disk configuration
-    # TODO Remove or move this
-    disko.devices.disk = cfg.disks;
-
     # Host udev rules for input devices
     services.udev.extraRules = ''
       # Misc

modules/hardware/x86_64-generic/x86_64-linux.nix

@@ -23,8 +23,11 @@ in
     hardware.enableAllFirmware = true;
 
     boot = {
-      # Enable normal Linux console on the display
-      kernelParams = [ "console=tty0" ];
+      # Enable normal Linux console on the display, and QR code kernel panic
+      kernelParams = [
+        "console=tty0"
+        "drm.panic_screen=qr_code"
+      ];
 
       # To enable installation of ghaf into NVMe drives
       initrd.availableKernelModules = [

modules/partitioning/disko-postboot.nix modules/partitioning/btrfs-postboot.nixmodules/partitioning/disko-postboot.nix renamed to modules/partitioning/btrfs-postboot.nix

@@ -1,14 +1,12 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
 {
-  config,
   pkgs,
+  config,
   lib,
   ...
 }:
 let
-  cfg = config.ghaf.partitioning.disko;
-
   postBootCmds = pkgs.writeShellApplication {
     name = "postBootScript";
     runtimeInputs = with pkgs; [
@@ -47,9 +45,13 @@ let
       parted -s -a opt "$PARENT_DISK" "resizepart $PARTNUM 100%"
     '';
   };
+
+  enable =
+    ((builtins.hasAttr "verity" config.ghaf.partitioning) && config.ghaf.partitioning.verity.enable)
+    || ((builtins.hasAttr "disko" config.ghaf.partitioning) && config.ghaf.partitioning.disko.enable);
 in
 {
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf enable {
     # To debug postBootCommands, one may run
     # journalctl -u initrd-nixos-activation.service
     # inside the running Ghaf host.

modules/partitioning/disko-debug-partition.nix

@@ -23,7 +23,7 @@ let
 in
 {
   options.ghaf.partitioning.disko = {
-    enable = lib.mkEnableOption "Enable the disko partitioning scheme";
+    enable = lib.mkEnableOption "the disko partitioning scheme";
 
     imageBuilder.compression = lib.mkOption {
       type = lib.types.enum [
@@ -36,6 +36,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    system.build.ghafImage = config.system.build.diskoImages;
     disko = {
       imageBuilder = {
         extraPostVM = lib.mkIf (cfg.imageBuilder.compression == "zstd") ''
@@ -44,71 +45,73 @@ in
         '';
       };
       devices = {
-        disk.disk1 = {
-          type = "disk";
-          imageSize = "60G";
-          content = {
-            type = "gpt";
-            partitions = {
-              boot = {
-                name = "boot";
-                size = "1M";
-                type = "EF02";
-                priority = 1; # Needs to be first partition
-              };
-              esp = {
-                name = "ESP";
-                size = "500M";
-                type = "EF00";
-                content = {
-                  type = "filesystem";
-                  format = "vfat";
-                  mountpoint = "/boot";
-                  mountOptions = [
-                    "umask=0077"
-                    "nofail"
-                  ];
+        disk = {
+          disk1 = {
+            type = "disk";
+            imageSize = "60G";
+            content = {
+              type = "gpt";
+              partitions = {
+                boot = {
+                  name = "boot";
+                  size = "1M";
+                  type = "EF02";
+                  priority = 1; # Needs to be first partition
                 };
-                priority = 2;
-              };
-              swap = {
-                size = "12G";
-                type = "8200";
-                content = {
-                  type = "swap";
-                  resumeDevice = true; # resume from hiberation from this device
-                  randomEncryption = true;
+                esp = {
+                  name = "ESP";
+                  size = "500M";
+                  type = "EF00";
+                  content = {
+                    type = "filesystem";
+                    format = "vfat";
+                    mountpoint = "/boot";
+                    mountOptions = [
+                      "umask=0077"
+                      "nofail"
+                    ];
+                  };
+                  priority = 2;
                 };
-                priority = 3;
-              };
-              root = {
-                size = "40G";
-                content = {
-                  type = "filesystem";
-                  format = "ext4";
-                  mountpoint = "/";
-                  mountOptions = [
-                    "noatime"
-                    "nodiratime"
-                  ];
+                swap = {
+                  size = "12G";
+                  type = "8200";
+                  content = {
+                    type = "swap";
+                    resumeDevice = true; # resume from hiberation from this device
+                    randomEncryption = true;
+                  };
+                  priority = 3;
                 };
-                priority = 4;
-              };
-              persist = {
-                size = "100%";
-                content = {
-                  type = "filesystem";
-                  format = "btrfs";
-                  mountpoint = "/persist";
-                  mountOptions = [
-                    "noatime"
-                    "nodiratime"
-                  ];
+                root = {
+                  size = "40G";
+                  content = {
+                    type = "filesystem";
+                    format = "ext4";
+                    mountpoint = "/";
+                    mountOptions = [
+                      "noatime"
+                      "nodiratime"
+                    ];
+                  };
+                  priority = 4;
+                };
+                persist = {
+                  size = "100%";
+                  content = {
+                    type = "filesystem";
+                    format = "btrfs";
+                    mountpoint = "/persist";
+                    mountOptions = [
+                      "noatime"
+                      "nodiratime"
+                    ];
+                  };
                 };
               };
             };
           };
-        };
+        } // (if (builtins.hasAttr "disks" cfg) then cfg.disks else { });
       };
     };
   };

modules/partitioning/flake-module.nix

@@ -6,7 +6,13 @@
     disko-debug-partition.imports = [
       inputs.disko.nixosModules.disko
       ./disko-debug-partition.nix
-      ./disko-postboot.nix
+      ./btrfs-postboot.nix
+    ];
+    verity-release-partition.imports = [
+      ./verity-partition.nix
+      ./verity-repart.nix
+      ./verity-sysupdate.nix
+      ./btrfs-postboot.nix
     ];
   };
 }

modules/partitioning/verity-partition.nix

@@ -0,0 +1,137 @@
+# Copyright 2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+let
+  roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
+  cfg = config.ghaf.partitioning.verity;
+  debugEnable = config.ghaf.profiles.debug.enable;
+in
+{
+  options.ghaf.partitioning.verity = {
+    enable = lib.mkEnableOption "the verity (image-based) partitioning scheme";
+
+    split = lib.mkOption {
+      description = "Whether to split the partitions to separate files instead of a single image";
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  imports = [
+    "${modulesPath}/image/repart.nix"
+    "${modulesPath}/system/boot/uki.nix"
+  ];
+
+  config = lib.mkIf cfg.enable {
+
+    system.build.ghafImage = config.system.build.image.overrideAttrs (oldAttrs: {
+      nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ pkgs.jq ];
+      postInstall = ''
+        # Extract the roothash from the JSON
+        repartRoothash="$(
+          ${lib.getExe pkgs.jq} -r \
+            '[.[] | select(.roothash != null)] | .[0].roothash' \
+            "$out/repart-output.json"
+        )"
+
+        # Replace the placeholder with the real roothash in the target .raw file
+        sed -i \
+          "0,/${roothashPlaceholder}/ s/${roothashPlaceholder}/$repartRoothash/" \
+          "$out/${oldAttrs.pname}_${oldAttrs.version}.raw"
+
+        # Compress the image
+        ${pkgs.zstd}/bin/zstd --compress $out/*raw
+        rm $out/*raw
+      '';
+    });
+
+    image.repart.split = cfg.split;
+
+    systemd.enableEmergencyMode = debugEnable;
+
+    boot = {
+      kernelParams = [
+        "roothash=${roothashPlaceholder}"
+        "systemd.verity_root_options=panic-on-corruption"
+      ] ++ lib.optional debugEnable "systemd.setenv=SYSTEMD_SULOGIN_FORCE=1";
+
+      # No bootloaders needed yet
+      loader = {
+        grub.enable = false;
+        systemd-boot.enable = lib.mkForce false;
+      };
+
+      # Enable dm-verity and compress initrd
+      initrd = {
+        systemd = {
+          enable = true;
+          dmVerity.enable = true;
+          emergencyAccess = debugEnable;
+        };
+
+        compressor = "zstd";
+        compressorArgs = [ "-6" ];
+
+        supportedFilesystems = {
+          btrfs = true;
+          erofs = true;
+        };
+      };
+    };
+
+    environment.systemPackages = with pkgs; [
+      cryptsetup
+    ];
+
+    # System is now immutable
+    system.switch.enable = false;
+
+    fileSystems =
+      let
+        tmpfsConfig = {
+          neededForBoot = true;
+          fsType = "tmpfs";
+        };
+      in
+      {
+        "/" = {
+          fsType = "erofs";
+          # for systemd-remount-fs
+          options = [ "ro" ];
+          device = "/dev/mapper/root";
+        };
+
+        "/persist" =
+          let
+            partConf = config.image.repart.partitions."50-persist".repartConfig;
+          in
+          {
+            device = "/dev/disk/by-partuuid/${partConf.UUID}";
+            fsType = partConf.Format;
+          };
+      }
+      // builtins.listToAttrs (
+        builtins.map
+          (path: {
+            name = path;
+            value = tmpfsConfig;
+          })
+          [
+            "/bin" # /bin/sh symlink needs to be created
+            "/etc"
+            "/home"
+            "/root"
+            "/tmp"
+            "/usr" # /usr/bin/env symlink needs to be created
+            "/var"
+          ]
+      );
+  };
+}